9.8

CVE-2019-19006

Warnung
Medienbericht
Exploit
Sangoma FreePBX 115.0.16.26 and below, 14.0.13.11 and below, 13.0.197.13 and below have Incorrect Access Control.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
SangomaFreepbx Version >= 13.0.0.0 <= 13.0.197.13
SangomaFreepbx Version >= 14.0.0.0 <= 14.0.13.11
SangomaFreepbx Version >= 15.0.0.0 <= 15.0.16.26

03.02.2026: CISA Known Exploited Vulnerabilities (KEV) Catalog

Sangoma FreePBX Improper Authentication Vulnerability

Schwachstelle

Sangoma FreePBX contains an improper authentication vulnerability that potentially allows unauthorized users to bypass password authentication and access services provided by the FreePBX admin.

Beschreibung

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Erforderliche Maßnahmen
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 36.62% 0.983
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 7.5 10 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:P
134c704f-9b21-4f2e-91b3-4a467353bcc0 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
04.02.2026 08:58
https://community.freepbx.org/t/freepbx-security-vulnerability-sec-2019-001/62772
Vendor Advisory
https://pastebin.com/2CdsQMKW
Broken Link
https://wiki.freepbx.org/display/FOP/2019-11-20+Remote+Admin+Authentication+Bypass
Vendor Advisory
https://www.freepbx.org/category/blog/
Product
https://research.checkpoint.com/2020/inj3ctor3-operation-leveraging-asterisk-servers-for-monetization/
Third Party Advisory
Exploit
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-19006
US Government Resource